Monday, December 26, 2011

Small off topic

There are still two main things to do in order to completely break the CPSIII system: One of them is adding support from/to 2nd Giant. The other one is taking back to life dead cartridges. Both things will take a loooot of time and any support I get will certainly motivate me moving forward.

Besides the donate button, there are two other ways you can support for free this project if you like it:

* If you find it interesting, click on any of the ads that are shown on the blog.
* If you come from France, please tell all your friends about my other french site: (I really hope this works out so I can definitely move to France :)

Hope you didn't mind this little off topic and expect more CPS3 news very soon!!


Friday, December 23, 2011

Christmas Release v0.3

And a new version is usual rename to RAR and extract.

Some bugs have been fixed, but the biggest improvement is....REGION SELECTOR!
You can now choose the region that you want it to run, regardles of the cartridge version that you have. Nice isn't it??

This time, supports all ISOS available of SFIII 3rd strike and JoJos adventure. No SFIII 2ndImpact yet :(

Enjoy Christmas y'all there.

Friday, December 16, 2011

Do you know these versions??

See below some links of some "special" versions of Warzard/Red Earth.

The new version of the tool (coming soon) will let you choose the target country code of the ISOS generated. They will work independently of the country code of the cartridge.

@Ian: It will support Warzard country code.

Monday, December 12, 2011

Comments about the tool

The v0.2 of the tool, that works with ISOS, for the moment supports all ISOS except  JJK-160 and 33S-2 which have different CD structures than JJK-140 and 33S-1 respectively. This will be updated soon.

Regarding what contains every CD, CD2 contains always what can't fit in CD1 following this rule:

20 --> 10
50 --> 30
60 --> 40

That means that IF target CD has no file 20, 2nd CD will have file 20 in the position of 10. However if target CD has 20 it will go in CD1.

i.e. if we want to play JOJOBA on a JOJO cartridge, the 1st CD will have correct files 10,20,30,31,40 and 41 (meaning SIMMS 1,2,3 and 4).
From the 2nd CD only interest us the files 50 and 51 which will be located in position of 30 and 31 (SIMM 3).
To make it correctly, install first CD2 (will update SIMM3) replace SIMM3 with an new one, update using CD1 and place the SIMM3 extracted in the 1st update into position SIMM5. Notice that in both updates we should keep something in SIMM5, for the BIOS to let us upgrade.

I hope it's clear now :)

Apparently there is A 2nd revision of JOJO Bizzarre adventure with date 990927. If you manage to get it please let me know.


Saturday, December 10, 2011

The Tool v0.2

See below link for new tool ready to work with ISOS. Rename to RAR and extract.

The tool will automatically generate 2 ISOS if needed and recognizes all CPS3 CDs.

Regarding SFIII-2nd the tool is prepared to support a decryption table so it can be reconverted for each cartridge.

No time yet to release a proper TXT file. As stated in the source code, this is released as GNU General Public License. If you release a new binary, you also have to release the source code so others can enjoy your change.

A new version with nice menu for Windows in Visual C++ will be available soon.


Thursday, December 8, 2011

The new tool and Street Fighter III - 2nd Impact

I'm currently working on a new version of the tool that works directly with ISO files and recognizes automatically the game, so you just enter the filename of the input ISO and the filename of an ISO of the output cartridge and you'll get the game converted. You need to input a second ISO to copy the header and some other data that will remain unchanged from an ISO of the destination cartridge.
The tool should hopefully be ready soon and will be released together with source code.

This will give a lot of options to people who want to develop it further like i.e. using infinite energy, change the country code,etc.

I have asked a colleague to port it to Visual C++ what will make it even easier as you can use the browser and just click on the isos.

Regarding SFIII-2 please notice that this is a very special version. The code itself is still encypted using the keys 0x00000000 and 0x00000000, BUT the data is not. This means that we have mixed encrypted and non encrypted data in consecutive adresses....So how to convert from one system to anouther??

At the moment I am working on a background logging routine that outputs every memory address that has been read in the range 0x06000000-0x06ffffff. With this we can try to identify which part is data and which part is code. The problem is that you have to start the logger and start playing, inserting coins, playing the game to the end, enter the Service menu, Win a battle, lose a battle, to sum up, you have to make sure that all the possible instructions are being run, because if not, my program won't decode them and if we ever happen to execute this instruction, the programm will probably freeze.
I'm trying this logger with SFIII-2 what means that if I have success, one can play SFIII-2 in OTHER systems. If we want the SFIII-2 cartridge to run other games, we have to do exactly the same for the other 5 GAMES(play them to the end, process the log and create a decryption table that will allow us to convert them to the destination cartridge). It may sound easier to say than to do....believe me :)

Last but not least I would like to thank all the people who donate. For me it's a good sign that you like my job and will motivate me on working further. THANK YOU!

Sunday, December 4, 2011

The tool

Rename to RAR and extract.

I'm already working on the tool that will support ISOs directly and will recognize them regardless their name. However for those who are not willing to wait....

Notice that SFIII 2nd Impact is not supported yet.

Let me know how it works for you.

Wednesday, November 23, 2011

Releasing the tool

Hi there,

I received the Sygnal analyser ten days ago. I'm trying to setup everything to start reading signals. It's easier to say than to do it :))

I plan to release the tool to convert games in very very short time, however the tool at this moment, although it works great, it works with files (10, 20, 30,31,etc. which are inside the CD) rather than with the ISO itself so you need to extarct the files from the ISO, convert them with the tool and use an HEX EDitor to put the content back.
Another feature is that it's programmed with DJGPP =)) rolling on the floor

I was thinking about converting it to Visual C++ and make it work with ISOs, but this will eventually delay the release. Should I release it as it is?

Another thing is that if you want to convert a game for a cart that uses less memory (like i.e. SFIII 3rd Strike to work on cartridge of SFIII NewGen), then you need to create 2 cds. The first CD will contain the files 10,30,31,40 and 41 and we will update as normally, then we need to remove these SIMMS, replace them with new ones and make the second update.
After that we move the SIMMS of the second update to their rightposition (Slot 1-->Slot 2 and Slot 3 -->5 and Slot 4-->Slot 6) and place the SIMMS of the first update to the Slots 1,3 and 4.
Notice that in both updates you should have the correspondent SIMM in slot 5 although we will discard it at the end.

As the cartridge hasn't been hacked yet, this is the only way to do it. Actually it will take almost the same amount of time to make the update as with the original. The main hassle is to change the SIMMS.

If you have any comments or would like to help with the conversion to Visual C++, feel free to comment. I will also release the source probably as GPL.

Friday, October 14, 2011

frequency modifier

As I said in previous posts, the Custom SH2 is feeded with a 6.25Mhz clock. and then multiplied by a factor of 4.

According to SH2 specificactions, this should be done by writting a certain value (2 in this case to address H'FFFFFE90). This must be done from the cache memory (H'C0000000 area). Until this is done, the CPU runs at 6.25Mhz. This means that Flash rom is being read at a lower pace until we force the CPU to run faster.

Still waiting for the sygnal analyzer....

knowing the cartridge better

I made a couple of corrections to my previous post. Apparently none of the chips on the CPU board(except the SH2) have any tricky protection-related function and they seem to be used to generate signals for the SH2 which is constantly powered.

The pinout seems to be identical to the one of the SH2(SH7604), so at this moment I can only think of two ways of reprogramming the keys insides.

* One option is that the SH2 can still run code but with a different unknown-factory-set-key. In that case replacing the BIOS allows the manufacturer to execute code that can reset the keys. I can confirm/refute this optionwhen I get the new sygnal analyzer.
* Another option would be a combination of signals to activate a "programming mode", like i.e.put the two keys in the data bus and activate some control pins.

It also intrigates me that replacing the custom SH2 with a standard SH2, doesn't work. Was the BIOS properly decrypted? Are the control signals on the SH2 working in the same way?

Monday, October 10, 2011

Moving forward

I finally received a good bunch of Flash memories and 2 adaptors for these memories, so I can make myself so many tests as I want.

If you have a look at the pictures below, you'll notice that the cartridge is prepared from factory to work with 2 types of flash roms, the 29f400 (located at position U2 of the cartridge ) and the 28f400(located at U5). The one located at U2 has a similar distance between pins as the SH2, which is a nightmare to solder without the proper equiment, the other one in the back side(U5) has a much nicer pinout, which allows me to connect an eprom to it and test many BIOS.See pictures below of front and back side of cartridge. Notice that the tiny sub-pcb on the back side is just fixed with tape.

I have ordered a digital analyzer so I can check by myself if there is real traffic going on between CPU and EPROM. If nothing happens, that would be bad news, as it will mean that the CPU is somehow blocked. However if it can be unblocked by Capcom, it must be reading something, I just needs to find out where.

I send several re-encrypted Bios to some people interested on trying them, they were re-coded with combinations of keys to ffff and 0's, none of them apparently worked, but as I said before, instead of making blind shots, I'd check first if there is real traffic going on.

In one of the many tests that I did, I tried to run the system with a working and non working cartridges.Once I forgot to insert any cartridge and I got the same picture as with a dead cartridge?!? See picture below.

In the meanwhile I have made a small schematics of the cartridge, see picture at the end. Several interesting conclusions can be made:

I have found a QFP144 pinout of the SH2 that provides helpful information about the structure of the system. (actually i'ts a SH7604, more info here:

The Pinout of the the Custom SH2 doesn't match with the pinout of the QFP-144 SH2, therefore replacing it with a standard SH2, won't work at all. Even if.replacing the SH2 was the solution, this.
Replacing the SH2 is something that I don't like much, as replacing SMDs is not available for everyone, so I'd like something easier, like removing the U2 flash and soldering a new one @ U5.

Another interesting thing is that there is a crystal quartz which is feeding the Custom SH2, which is constantly powered. I still don't know why this frequency is being used instead of the 25Mhz to which is supposed to run.   Frequency of crystal is 25Mhz/4 (6.25Mhz), the SH2 can be configured to run using a multiple (x4) of this frequency.

Bottom line: The custom SH2 is more custom than I expected and as the pinout is proving, however if there is real traffic between the SH2 and the Eprom, it would be just a question of trying several keys.
If there is no traffic, I'll have to use the sygnal analyzer and try to find out the real pinout of the whole thing....and that's going to take sooome time. Let's hope chinese post is fast.

Tuesday, August 23, 2011

Bios+Games ready to test

I finally found where the problem with the BIOS was, it's with a function called cps3_dma_callback which is a bypass to execute the DMAs as the original CPS3 does.

For those who don't know what a DMA is, basically it's a way of copying blocks of data without making them going through the processor and therefore leaving it availiable to make other things. Basically your code, needs to send some instructions to a controller (disk drive, hard disk, CD, etc) and tell them which sector(s) to copy into which region(s) of memory. This controller has Direct Memory Access (DMA) and copies the data without your processor noticing it. When the copying process is ready a flag or IRQ is triggered.

Anyway, Mame is a very complex emulator and it uses a trick to emulate the DMA properly (when a DMA is performed it should bypass the encryption).

I have tried the BIOS with SFIII NG and SFIII-3 and in both works like a charm.

I have now created a full set of the 6 games completely unprotected and a BIOS based on the BIOS of SFIII-3.

Notice that all this is based on the assumption that a suicided cartridge will execute unencripted code.

If this doesn't happen to be the case, my next shot will be to use a signal analyser to see what communication is really going on between CPU and BIOS in a suicided cartridge. If it's reading something probably it will execute something....

I ordered some working and non working cartridges and I'll try to flash the new BIOS in them. Can't wait to have them with me....

more news soon.

Friday, August 19, 2011

1 BIOS is enough

Following my crusade against CPS3 protection, I created an unencrypted BIOS, an unencripted ROMSET and an unencripted MAME's cps3.c. I put everything together (it's easier to say that to do) and finally I run it.
Good news is that it works great and ONLY one bios, SFIII NewGen works with all 6 games.

Actually if you check the code when the game is running it doesn't go back to the BIOS (at least I didn't see it), what makes me believe that once it starts running the game BIOS is not needed anymore.

If we press the service button AND select rewrite the game or the graphics, then we'll jump back to the BIOS.
Another interesting thing is that the Service menu is located in the game code, not in the BIOS.

I also managed to remove all protections in this decrypted BIOS and now it takes any code. I still need to remove the Capcom format CD check.

Unfortunately  for some strange reason (probably related to the encyrption) this BIOS can only update the char roms, it doesn't update the code.
Another problem, probably originated by the same reason as above, it gives a failure in the SIMM memory check of the BIOS, but only in the SIMMS that hold the code, the rest are OK...needs further checking.

More news soon.

Tuesday, August 9, 2011

CRCs are history

I start debugging and getting into the program. I don't know the rest of debuggers out there, but at least in my case, debugging is like programming, in the sense that it takes some time to get into the program and be really productive, so you can't just work in sessions of half an hour.

A couple of days later (overnight which is when I usually can work more than 20 minutes without interrumptions)  I have found all the CRC checks.

There are a couple of interesting things in the CRC checks.
First is that there are several CRC checks and they go in blocks. Files 30 and 31 have a common CRC so I just need to modify the 31 and the test will go OK for files 30 and 31. The same goes for 40 and 41, 50 and 51 as well as 60 and 61(4 checks in total in the longest game)

Secondi is that files 10 and 20 have an independent CRC so I should change the CRC both in files 10 and 20.
Another interesting thing is that there are only 6 types of cartridges. If the key is the same, the CRC check is the same. The BIOS may change, but the keys and the CRC are the same independently of country and revision.

After that I have modified my c program and now I just enter the input version and the output cartridge and I get all files re-encrypted and with the right CRC. The ISO modifying process is still manual though.

I have done several tests like Warzard/Red Earth running on SFIII New Gen Cartridge or JOJO Bizarre adventure running in SFIII-3 cartridge. I have done many more tests in MAME which work OK but only those two in the real thing.

I have ordered several memories to enlarge my SFIII Newgen board and I'll convert all 6 games for this cartridge which is one of the earliest. This will eventually proof that games can independently of the cartridge model.

In the meanwhile, I'm creating an unencrypted BIOS that will skip all the CRC and CD Checks so that will accept any CD and any CRC Check. If I manage to get this BIOS without encryption(I don't mean with the keys to 0's but just unencrypted) running on a recompiled version of MAME we will be very close to a phoenix cartridge. I'm about to order a socket for the 29F400 so I can reprogramm it many times without the hassle of soldering. If someone has some tips about how to make many tests on a 29f400 eprom please advice.

Expect more news sometime soon.

Saturday, August 6, 2011

recrypting the code and CRC problem.

It looks like everytime I go further with a problem a new one appears.
If I want to do something worth it, I should get into the encryption of the system.

I search in my old CDs for the old good djgpp :))
I check what Andy did and how this was implemented in MAME's cps3.c and I start programming....

3 weeks later I have a program working that can decrypt the content of all the files in the CD, encrypt them again with another key and save the result.

Apparently only code files 10 and 20 are encrypted, the rest remains as it is.

I change the code of file 10 into my ISO, but again the same shit, a message says that the system can't be updated :((

There should be some sort of CRC check or even worse a CRC/SHA check that will make it really hard to run any other code than the one originally planned to run in the system :((

However this time the error message was around 80% of upgrade process. This should be definitely a CRC Check.

I see only one solution...debug it in MAME.

I get a copy of MAME and start debugging the game.  I'm used to debug in CISC processors and this SH2 is RISC. It's really shit to understand something here. CISC is soooo much clear.

After several days I manage to get into it and I find several breakpoints just before the upgrading process. I'll debug it both using my ISO converted to CHD and the CHD for this game.

Understanding the CD

I have decided to give a try and check the structure of the CDs of CPS3, maybe I can change the code and get some infinite lives or even better change my system to another game.

After some research I found the Blog of Andy:
If code is encripted, it's gonna be trickier than I expected....

I extracted the files of my SFIII NewGen CD and created a copy of it, file by file, but my board doesn't recognise the CD :((

I have changed the content of files 10,30,31,40,41 with an HEX Editor and it now recognises the CD and starts the game. This means I'm gonna have to use an HEX Editor to change the content of the ISO.

Files 30 and 31 are related to graphics so I'll replace their content with the content of Warzard/Red Earth which seems to run with the same amount of memory.

After finding out how to upgrade the game in the service menu (might not be so easy to find if you have a Jap BIOS) the sytem starts upgrading....

Ploff!!! at the middle of the process, the upgrade stopped and the screen says that I should contact the technical service WTF! :((( Did I brick my CPS3???

I start my system again and it says automatically that I should  upgrade the system. I insert my original CD and upgrades back to SFIII New Gen (luckily).

I believe there should be some sort of CRC check. I have to think over how to go next.

The final result of all this, can be checked here:

Breaking CPS3

After the several requests I've decided to open a blog to show my developments on CPS3.

I have decided to post it like in history mode, step by step, so that everyone can see that this was not a weekend job. Expect recent updates at least at the beggining.